Instagram Hack: Site Selling $10 Access To Celebrity Instagram Accounts

Following an apparent hack of a number of celebrity Instagram accounts earlier this week, a website is now selling access to a searchable database of thousands of credentials, Ars Technica reported.

The unnamed site claims to have a database of more than 10,000 credentials—and potential millions more—and contact information that were stolen in a recent breach of Instagram. It is offering visitors the ability to search and view those credentials for $10 per search query.

Instagram confirmed the initial breach, stating high-profile users were targeted but noting that no passwords were believed to be stolen. “At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue,” an Instagram spokesperson said in response to the breach.

The revelation of the database of stolen credentials suggests the data breach that hit Instagram is bigger than it was initially believed to be and could put more users at risk than was originally reported.

A sample of the records were tested by security researcher Troy Hunt, operator of breach notification service Have I Been Pwned. Hunt concluded the database appears legitimate. Instagram has not yet confirmed the legitimacy of the database, but said it was investigating the claim.

Ars Technica also reported the site had received 12 deposits and made about $500 within the first six hours of the searchable database going live on Friday.

According to Ars Technica’s analysis, 9,911 of the 10,000 records provided included a phone number or email address, including 5,341 that list just a phone number and 4,341 that are linked to both an email address and phone number.

The information included phone numbers with country and area codes from around the world, including users located in Australia, Thailand and Germany. Those phone numbers were consistent with the location of the user associated with the contact information. Some of the accounts available in the database had millions of followers.

"My conclusion: there's nothing in here to disprove the data,” Hunt told Ars Technica. “It's possible it has been scraped together from other sources, but every indication is that it's legitimate.”

The person who supposedly exploited the vulnerability to access the accounts from Instagram told Ars Technica he found out about the security hole in an IRC chatroom and suggested other people may have used the exploit on a smaller scale.

While an analysis of the breach from Kaspersky Lab suggested it wasn’t possible to exploit the bug in an automated fashion, the person behind the hack said otherwise. According to him, he was able to steal nearly one million account credentials per hour.

The attacker claims to have more than six million accounts in total. If the sample size is representative of the rest of the breach, it seems likely the majority of those accounts have at least one form of contact information associated with them, putting millions of users at risk of having personal information stolen.